Excel macro testing

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Go down

Re: Excel macro testing

Post by p2u on 30/12/2010, 23:00

wat0114 wrote:testing it sandboxed or virualized might be the best and maybe only way to kow if it's safe or not.
For now, yes, but I think that with time we will see sandboxes of all sorts being easily bypassed by ever more sneaky mechanisms. A hyper-vulnerable system like Windows can only be protected from the outside, not from the inside. Therefore it doesn't make sense to install protection *on* the system, especially if that system is lying to you.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 31/12/2010, 00:27

p2u's got it spot on.

Just to clarify, since cmd.exe and regedit.exe are built into the Excel macro and launched into memory within the Excel process, blocking the system's cmd.exe and regedit.exe with will do nothing - I've tested this too.

Also, SRP/AppLocker will still block subsequent PE executable code written on the hard disk. However, assuming the worst case scenario (as p2u suggests), if the attack only takes place in memory via similar methods, then the user can potentially get owned despite having strict SRP/AppLocker rules.

With regards to sandboxes being bypassed, we can worry about that when/if the time comes. Keep in mind that these POC's are not new - they are at least a year old (the one that disables SRP is over 2 years old). And in fact, I'm pretty sure they have been made publically available for quite some time.


Last edited by ssj100 on 31/12/2010, 00:31; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by wat0114 on 31/12/2010, 00:30

p2u wrote:
wat0114 wrote:testing it sandboxed or virualized might be the best and maybe only way to kow if it's safe or not.
For now, yes, but I think that with time we will see sandboxes of all sorts being easily bypassed by ever more sneaky mechanisms. A hyper-vulnerable system like Windows can only be protected from the outside, not from the inside. Therefore it doesn't make sense to install protection *on* the system, especially if that system is lying to you.

Paul

For now it seems to me as almost incromprehensible - LOL - that sandboxie could one day be bypassed, but I fear you are probably right. Maybe only in a VM running in a limited account (as I have) or running the VM sandboxed as ssj has successfuly proven possible might be the most secure approach. Either that or a dedicated test host system with an image containing no private, personal information could be used. I've thought of this as being the best because then VM-aware malware will be a non-issue for the tester. It would only take a spare h/drive that could be swapped over to whenever one wants to test, then the known, clean image could be replaced when done if the test file turns out to be malicious. The drawback obviously to this is time resources required. Just my thoughts Smile

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Excel macro testing

Post by wat0114 on 31/12/2010, 00:35

ssj100 wrote:p2u's got it spot on.

Just to clarify, since cmd.exe and regedit.exe are built into the Excel macro and launched into memory within the Excel process, blocking the system's cmd.exe and regedit.exe with will do nothing - I've tested this too.

Absolutely, and Paul explained it nicely. What a diabolical bypass this is Shocked

Also, SRP/AppLocker will still block subsequent PE executable code written on the hard disk. However, assuming the worst case scenario (as p2u suggests), if the attack only takes place in memory via similar methods, then the user can potentially get owned despite having strict SRP/AppLocker rules.

This will mean more emphasis on using common sense before opening this type file, since if it's zero-day, one can't rely on updated av. Although there is, for now, the sandboxing/virtualized approach as well.

With regards to sandboxes being bypassed, we can worry about that when/if the time comes. Keep in mind that these POC's are not new - they are at least a year old. And in fact, I'm pretty sure they have been made publically available for quite some time.

Right, it's just a matter of time before they become mainstream, I would think.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 31/12/2010, 00:43

wat0114, since you follow the approach "obtain it from a source I can trust before even thinking about launching it", there probably isn't much to worry about.

In the end, we need to have some level of trust. For example, we all trust that our food isn't poisoned with cyanide when we go out to eat (we don't get a slave to taste test it first). The same goes with the water we drink - we all trust our governments/water companies to provide us with water that doesn't kill us haha. We don't go about testing the water for "malicious activity" - we just drink it without a second thought.

Of course, common sense and experience will/should help us make better decisions, just like with anything in life. For example, filtering or boiling water before we drink it may reduce the chances of getting "attacked".

Anyway, enough of these analogies already haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 31/12/2010, 00:49

wat0114 wrote:Right, it's just a matter of time before they become mainstream, I would think.
I'm not sure about this. Surely Didier Stevens wasn't the first person to work out how to disable SRP or bypass SRP/AppLocker by launching executable code within a trusted process? Perhaps he was the first one to make it public knowledge? But SRP has been around for nearly 10 years, and I'd bet that many hackers out there would have worked it all out long ago.

So why aren't we seeing more of this type of malware in-the-wild?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by p2u on 31/12/2010, 01:00

ssj100 wrote:So why aren't we seeing more of this type of malware in-the-wild?
This type of bypasses is just a "promise" for the future. Right now, from a business point of view, it doesn't make sense to invest too much in them while the majority of Windows users sits with a bare OS and pseudo-security solutions, anti-this and anti-that but actually only eating resources...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Excel macro testing

Post by Binky on 31/12/2010, 07:49

Many years ago, I switched from MS Office to Sun's StarOffice because it did not support macros that could make OS calls, yet StarOffice can read and write to MS Office formats. Sun was purchased by Oracle, and OpenOffice.org now offers software that is almost identical to StarOffice. Does opening the document with OpenOffice.org block the POC?

Binky
Member
Member

Posts : 35
Join date : 2010-11-10

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 31/12/2010, 08:08

I have doubts that the POC would work with OpenOffice.org (as it wasn't coded/tested with that).

However, I personally don't think that using different software is adequate mitigation (from a purist point of view). It's like saying - the POC doesn't work because I use Linux (not really an accurate comparison, but hopefully the point is made).

But this doesn't mean to say that I don't recommend using different software for the purposes of "security by obscurity".

Anyway, I may try testing the POC with OpenOffice.org some time.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by p2u on 31/12/2010, 13:43

ssj100 wrote:I personally don't think that using different software is adequate mitigation (from a purist point of view).
If there's support missing for harmful functionality (SumatraPDF, for example, doesn't support any dynamic content, such as JavaScript, and doesn't share any code at all with the Adobe Reader) or if the alternative offers better configuration options (for security, not convenience!), then using different software may satisfy even the purest of purists. Wink

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 31/12/2010, 16:30

Haha, I would think that the purest of purists would want to directly block or contain this type of attack vector, rather than just using an alternate piece of software. I don't think you can always tell which software may be exploited - it doesn't necessarily need to be with a pdf or office related file.

Perhaps the purest of purists would use Linux? Haha, I don't know.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by p2u on 31/12/2010, 16:37

ssj100 wrote:Perhaps the purest of purists would use Linux? Haha, I don't know.
Nope. I suspect that Linux machines are most often hacked (don't forget all those servers), and MAC starts displaying its many bugs when you start throwing corrupted files at it. Those types of OS (especially client machines) are just not targets yet. Smile
P.S.: Removing the attack vector you are talking about asumes rethinking the concept of Windows and rewriting the OS from the start. From 2000 on, nothing has really changed. Microsoft has just built in some rather obscure "security" mechanisms, mostly taking away the possibility (even for experienced administrators) to configure the system easily.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 31/12/2010, 16:42

p2u wrote:
ssj100 wrote:Perhaps the purest of purists would use Linux? Haha, I don't know.
Nope. I suspect that Linux machines are most often hacked (don't forget all those servers), and MAC starts displaying its many bugs when you start throwing corrupted files at it. Those types of OS (especially client machines) are just not targets yet. Smile
But that was (one of) your initial arguments wasn't it? - "security through obscurity". At the risk of going completely off topic (and attracting Linux "fanboys"), are you implying that Linux is just as (or more) vulnerable to attacks as Windows?

And by the way, my point of using Linux (instead of Windows) was in the context of this specific "attack vector" - it simply won't run on Linux, as it's targeted at Windows. So from a purist's point of view, this provides 100% protection (until Linux itself gets actively exploited in-the-wild).

p2u wrote:P.S.: Removing the attack vector you are talking about asumes rethinking the concept of Windows and rewriting the OS from the start. From 2000 on, nothing has really changed. Microsoft has just built in some rather obscure "security" mechanisms, mostly taking away the possibility (even for experienced administrators) to configure the system easily.
I wasn't talking about removing the attack vector - I was talking about blocking or containing it. I've already shown some software which can contain such attacks. And arguing that such software may cease to exist (or similar) or that they can be "easily" bypassed doesn't really help here haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by p2u on 31/12/2010, 17:07

ssj100 wrote:
p2u wrote:P.S.: Removing the attack vector you are talking about asumes rethinking the concept of Windows and rewriting the OS from the start. From 2000 on, nothing has really changed. Microsoft has just built in some rather obscure "security" mechanisms, mostly taking away the possibility (even for experienced administrators) to configure the system easily.
I wasn't talking about removing the attack vector - I was talking about blocking or containing it.
I think it is virtually impossible to block or contain anything if the creator intended otherwise. Yes, in this case we are lucky, but in the future we may see different results.

P.S.: I have a very cynical view of computer security actually. "They" don't want us to be too secure. They just don't want anybody to parasitize on their mechanisms (that's what hackers are really doing). Operating systems were meant for:
1) advertising and doing business (implies Trust, not Distrust)
2) remote control, tracking and forensics (implies Trust, not Distrust)

You don't have to reply, just think for yourself:
1) What if any creator of any OS is required by law to build in such bypass mechanisms?
2) Can any creator of any OS guarantee that insiders won't sell company secrets (such as intended backdoors in the OS)?

Paul


Last edited by p2u on 31/12/2010, 19:24; edited 1 time in total

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 31/12/2010, 17:18

p2u wrote:I think it is virtually impossible to block or contain anything if the creator intended otherwise. Yes, in this case we are lucky, but in the future we may see different results.
You can say that about anything in life. The point is that with some current software, we are able to contain this attack vector, period. Show me a current POC or even better, a piece of live malware that can bypass some of these containment mechanisms, and then we may have something significant there. Talking about the future in a negative way makes it very difficult to apply anything - it's a fatalist argument. For example: "we're all eventually going to die anyway, so why bother securing ourselves".

p2u wrote:P.S.: I have a very cynical view of computer security actually. "They" don't want us to be too secure. They just don't want anybody to parasitize on their mechanisms (that's what hackers are really doing). Operating systems were meant for:
1) advertising and doing business (implies Trust, not Distrust)
2) remote control, tracking and forensics (implies Trust, not Distrust)

You don't have to reply, just think for yourself:
1) What if any creator of any OS is required by law to build in such bypass mechanisms?
2) Can any creator of any OS guarantee that insiders sell company secrets (such as intended backdoors in the OS)?
Interesting points. In reply, I'll simply ask some questions of my own:

1. How much trust do you have in your bank(s)?
2. How much trust do you have in your Doctor(s)?
3. How much trust do you have in the water we drink and the food we eat (eg. that they are poison free every single time we drink or eat)?

I don't think anyone can 100% guarantee safety relative to one's self. I guess I'm just portraying another way of looking at it.

Another comparable example would be related to the field of Medicine - we are currently able to cure ("block" or "contain" haha) many types of sepsis with antibiotics. We are currently able to cure ("block" or "contain") many types of cancers with surgery +/- chemo/radiotherapy. Using your type of argument, you would then go on to say that in the future, these same antibiotics will not work, and the "superbugs" will "bypass" everything, or that cancers may evolve to be resistant to chemo/radiotherapy. While this may be true, we can only work with what we currently have. And trust me, there are many happy "cured" people out there! Just like there potentially could be many happy people who find themselves "containing" our said exploit.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by p2u on 31/12/2010, 17:25

ssj100 wrote:I don't think anyone can 100% guarantee safety relative to one's self. I guess I'm just portraying another way of looking at it.
My point is (and this is a deep one): if the system was designed to bypass itself (that's what's actually happening with this Macro test; all defenders seem to be paralyzed), everything installed on it will also eventually be pypassed. Everything depends on the vigilance of the knowledgeable user.
P.S.: It is not my goal to scare anyone. Just trying to find a more reasonable approach to something we can't really grasp because we lack insider's information. Smile

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 31/12/2010, 17:31

p2u wrote:My point is (and this is a deep one): if the system was designed to bypass itself (that's what's actually happening with this Macro test; all defenders seem to be paralyzed), everything installed on it will also eventually be pypassed. Everything depends on the vigilance of the knowledgeable user.
Hang on, but we've already seen at least three software products that can contain such an attack vector. My reckoning is that the use of such software products will significantly minimise the risk of being "bypassed" - like with anything in life, that's all we can ask for right? And sure, what's between our ears will always be an important factor, no matter what the scenario.

p2u wrote:
P.S.: It is not my goal to scare anyone. Just trying to find a more reasonable approach to something we can't really grasp because we lack insider's information. Smile
Fair enough. And since we aren't "leet hackers", it's hard to know what exactly can and can't be done. A lot of it is pure speculation.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by p2u on 31/12/2010, 17:55

ssj100 wrote:Fair enough. And since we aren't "leet hackers", it's hard to know what exactly can and can't be done. A lot of it is pure speculation.
It's all up to us. That's actually very optimistic, at least as optimistic as I can make it. It is my wish for the New Year that more and more people just do away with religious belief in obscure "protection" technologies and don't give in to extortion neither from "Trusted" nor from "Untrusted" resources. There's this saying: "If you want to do something really well, do it yourself". The only requirements: don't be lazy, don't strive for advertised "convenience" too much and shut down or remove stuff you don't really need. As Tzuk put it so well in Sandboxie's motto: "Trust no program". Happy New Year! Smile

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Excel macro testing

Post by Binky on 31/12/2010, 21:04

According to Brian Krebs, Adobe Reader has the distinction of being the most targeted application by malware. I use Foxit Reader instead of Adobe Reader precisely because the former does not support script functionality (besides JavaScript) targeted by malware. I also have JavaScript disabled in Foxit. To protect against cases where my browser gets hacked (inside the sandbox), I disable the Firefox plug-in for Foxit. The only document I couldn't render with Foxit for several years is 3D CAD files (allows the user to rotate the view) produced by my work colleague. For that, I would need the real Adobe Reader. Since my work colleague is understanding about the security issues, he lets me view 3D CAD files on his PC. Thus, I do not even have Adobe Reader installed.

My motivations for using Foxit Reader are:
1. Faster launch by maybe a factor of 10
2. Security by reduced functionality
3. Security by obscurity

Even if someone criticizes motivation #3 on academic grounds, #1 and #2 are very practical.

An observant person may suggest to just isolate Adobe Reader in a separate Sandboxie sandbox and be done with it. Since poisoned PDFs can come through email or web browsing and can attack either client application's data, I wouldn't trust Adobe Reader running in the same sandbox with my email or web browser applications. For convenience, I would rather use Foxit Reader to render PDFs launched by my email and web browser applications.

OpenOffice.org/StarOffice launches about as fast as MS Office applications. Other than this aspect, all the points I made above about Foxit Reader apply equally to OpenOffice.org/StarOffice. OpenOffice.org also has the advantage over MS Office of being free.

ssj100 wrote:Anyway, I may try testing the POC with OpenOffice.org some time.
I believe that OpenOffice.org is more accessible and less obscure than any of the security software that you found to contain the POC. Your tests would be more comprehensive with it.

Binky
Member
Member

Posts : 35
Join date : 2010-11-10

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 1/1/2011, 00:59

p2u wrote:There's this saying: "If you want to do something really well, do it yourself". The only requirements: don't be lazy, don't strive for advertised "convenience" too much and shut down or remove stuff you don't really need.
Exactly, and where do we draw such a line in our lives? There are many examples of security software doing good and "containing" and/or "blocking" REAL threats, just like there are many examples of people "going to the Doctor" and having their life saved.

In the end, we all strive for the correct balance in our lives to make the best decisions for ourselves - the same can be said for our computers.

And yes, Happy New Year!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 1/1/2011, 01:11

Binky wrote:The only document I couldn't render with Foxit for several years is 3D CAD files (allows the user to rotate the view) produced by my work colleague. For that, I would need the real Adobe Reader. Since my work colleague is understanding about the security issues, he lets me view 3D CAD files on his PC.
The balance between security and usability/convenience can be a fine line! For me personally, I would find it significantly inconvenient to have to use a "colleague's" PC just to view certain files. I think if I was that concerned, I would use a sandboxed VirtualBox to open the file haha.

Binky wrote:
ssj100 wrote:Anyway, I may try testing the POC with OpenOffice.org some time.
I believe that OpenOffice.org is more accessible and less obscure than any of the security software that you found to contain the POC. Your tests would be more comprehensive with it.
The last time I checked, OpenOffice.org (OOO) is not specifically classed as an "anti-malware" application. And again, using a different type of software to avoid a "bypass" is not the point at all. The point is that our systems all have vulnerabilities in them, and it's interesting (at least for me haha) to see what direct security mechanisms can block or contain these. If the exploit was only with OpenOffice.org (Windows), I wouldn't be inclined to test it on Microsoft Office or on OpenOffice.org (Linux) - of course it wouldn't work.

There are many people out there who use Microsoft Office and who prefer it over OpenOffice.org. Some people are almost "forced" to use Microsoft Office, as OpenOffice.org often doesn't render correctly when eg. opening PowerPoint presentations (made in OOO) with Microsoft PowerPoint - if eg. their workplace uses Microsoft Office, it may be difficult to completely change to OOO.

Also, the last time I checked, Microsoft Office opened about 100 times faster than OOO haha. Anyway, isn't Windows more targeted than Linux? So going with your Adobe argument, why not use Linux?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 1/1/2011, 02:48

Okay, I just tested the Excel POC with OpenOffice.org - it literally took about 2 whole minutes to open the file (already suggesting that something's not quite right?). And surprise surprise, the macro/file doesn't seem to be compatible with OOO. This is what happens when I try to run the macro:

I think the macro wasn't even loaded when the Excel document eventually opened (despite already changing the macro security level to "Medium"). I say this because when I look for the macro (via Tools > Macros > Run Macro...), I can't seem to find it. So it's a fairly useless test really - it's like me testing this file on Linux and showing the same (or similar) error message - of course it was never going to work.

Anyway, I think some of the take home messages are as follows:
1. A certain level of security can be achieved through "obscurity" (particularly with non-targeted attacks).
2. DefenseWall, Sandboxie and GeSWall all appear to be excellent at what they do - "containment".
3. There are many ways we can "harden" Windows to minimise the risk of being exploited.
4. The balance of security and usability/convenience is a fine line, and is different for different people.
5. We all have to have an element of trust in the software we use and in the security setups/approaches we practise, otherwise we'd never get anything done with our computers! If viewing ".txt" is all you ever want to do, good for you!
5. There must be a reason why I don't test exploits on Linux haha.

Finally, here's something a little philosophical to ponder on (since it's the first day of the New Year haha):
1. We can spend so much time and effort researching about ways to configure our computer systems to make them as safe as possible for our wants/needs, and then spend the same level of time and effort applying these configurations.
2. Do we spend at least the same level of time and effort when it comes to our health, relationships, and spirituality? If not, what's really more important here?
3. I promise I will try to make it the first and last time I ever write something like that on this forum haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by Binky on 1/1/2011, 07:37

Thanks for testing with OOo. I suggest editing the second post in this topic with your results from CIS 5.3 and OOo. Test results are more meaningful than our opinions to many people. Now there are 4 options for containment.

Family and friends send me PowerPoint-format presentations and MS Word-format docs occasionally, and they have little security on their computers. So I wouldn't open them with MS Office unsandboxed. I get acceptable rendering results with OOo and Jarte (lightweight!) for MS Office files, so I have no motivation to spend extra money for MS Office on my personal PCs. When I author documents, I use OOo's ODF format, which MS Office will read. When I send documents to others, I convert them to PDF format to ensure accurate rendering on PCs and Macs.

Binky
Member
Member

Posts : 35
Join date : 2010-11-10

View user profile

Back to top Go down

Re: Excel macro testing

Post by ssj100 on 1/1/2011, 09:31

Binky wrote:Thanks for testing with OOo. I suggest editing the second post in this topic with your results from CIS 5.3 and OOo. Test results are more meaningful than our opinions to many people. Now there are 4 options for containment.
No, that would potentially mis-lead people. If people are interested enough, they should read through the entire thread. And test results are only meaningful when you interpret them correctly - I'm sorry to say but I think you've mis-interpreted my testing of CIS and OOo.

What is the 4th option for containment? Perhaps I have not been very clear with my explanations (which you appear to be taking as my "opinions"?). I always try to be as honest and clear as possible with my testing. CIS and OOo are not able to "block" or "contain" this POC. Instead, CIS is able to cripple the Excel file so that ALL macros don't load (in fact, they aren't even available to load). The same goes with OOo in this test - the macro isn't even available in the Excel file once it's opened. In the test, I want the macro to be available, I want the macro to load into Excel, and I want to see if any software can contain or specifically block subsequent execution (into memory). If the macro is not even available to load, then we can't test it. As I already said, if you want to say that the CIS sandbox or OOo passes the test, then you can say that Microsoft Office also passes the test - by default, Microsoft Office blocks the macro from loading, and it does it much better than OOo haha - it doesn't take 2 minutes to open and it directly prevents the macro from loading properly (as opposed to tossing up an error message that the macro isn't even available).

Again, we are not talking about blocking the macro from loading - we want the macro to load into Excel (to do the test properly). What we don't want is the subsequent foreign executable code ("cmd.exe" and "regedit.exe") to run. From my testing so far, no software can block this executable code from running, and only Sandboxie, DefenseWall and GeSWall can contain it - that is, they run "cmd.exe" and "regedit.exe" sandboxed/untrusted/isolated.

EDIT:
Also, again, the use of Office macros is only one example. Any new code introduced to the system could have a vulnerability that results in an exploit via a similar attack vector.

I hope that's clearer now. Sorry for any confusion.


Last edited by ssj100 on 1/1/2011, 09:39; edited 2 times in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel macro testing

Post by ParadigmShift on 1/1/2011, 09:35

I still sleep at night. Cool

ParadigmShift
New Member
New Member

Posts : 1
Join date : 2011-01-01

View user profile

Back to top Go down

Re: Excel macro testing

Post by Sponsored content


Sponsored content


Back to top Go down

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum